[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SUN don't care about security update ?

Subject: Re: [cobalt-security] SUN don't care about security update ?
From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
Date: Wed, 20 Mar 2002 15:27:26 +0100
Organization: Spin in het Web (www.spininhetweb.nl)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

You did not buy a car without breaks, you bought a car without getting a
drivers license first.

Well, Although I agree on the statement that Sun Cobalt should maybe put
more effort in patching leakages, because they deliver a full product
including the software, I think you overreact now. I guess they can expect
the machines to be operated by skilled professionals. It's not a my first
sony. Part of the skill would be to understand to a certain level the kind
of thread there exists for a full-service server, and that this thread
exists from the moment you put the network cable in.

Ofcause no one can know everything, but I would expect you to know the basic
operation skills needed to secure the machine to quite a high level, so
stopping telnet, starting (and securing) sshd, putting on some kind of
firewall or portsentry, checking logs, blocking machines, using tools like
tripwire etc. etc.

When you buy a totally equiped holliday van, "ready to take you anywhere you
like", you can't complain if you hit the first tree because you don't know
how to drive it.

Jelmer
----- Original Message -----
From: "Simon Wilson"

> Home to as many as 200 websites or a single, powerful dedicated server.
> If you're a service provider, the Sun Cobalt RaQT server appliance is
> the alternative to "big iron" servers. The Sun Cobalt RaQ server
> appliance includes everything you need to begin hosting now.
>
>
> A direct quote from Cobalts website. You see the last bit "everything
> you need to begin hosting now".
> Well read that as "everything you need provided you don't need it to be
> secure and don't mind if it gets hacked within 24 hours"
>
> I bought a RAQ4 it's the first server I ever bought, I new nothing about
> Linux, servers, dns, nothing. I bought it to host websites for my small
> business. Within one week of subscribing to this list, reading manuals,
> researching on the web, I realised that it is totally insecure. I had
> bought a car without breaks, a house without doors, I might as well have
> left it lying in the street with a sign on it saying "nick me". Since
> that time I have had to learn vary quickly all about the security issues
> and thanks to many people on this list I think my server stays
> reasonably secure.
>
> My point is: had the advertising been honest, had it said on the box -
> "looks good, nice spec but open door to hackers" I never would have
> touched it.
>
> In English law a product must be fit to perform the purpose for which it
> is sold. The RAQ4 out of the box is not fit to host websites.
>
>
> __________________________________________
> Simon
>
>
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

Follow-Ups:
- Re: [cobalt-security] SUN don't care about security update ?
  - From: baltimoremd
- Re: [cobalt-security] SUN don't care about security update ?
  - From: Paul Jacobs

References:
- RE: [cobalt-security] SUN don't care about security update ?
  - From: Simon Wilson

Prev by Date: Re: [cobalt-security] RaQ3/4 + glibc Update (+ ChiliSoft) + MySQL = Problem
Next by Date: Re: [cobalt-security] SUN don't care about security update ?
Previous by thread: RE: [cobalt-security] SUN don't care about security update ?
Next by thread: Re: [cobalt-security] SUN don't care about security update ?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index